IPFIX Input issue 2

Graylog Tech Challenges
1

I opened up a community account to request help on this same issue. I’ve experienced the same issues as aazherelyeu when trying to ingest Netflow messages from vSphere.

I’m able to collect Netflow messages from PFSense with the Netflow input without any issue, but vSphere only provides the option to send Netflow v10/IPFIX messages.

Has anyone had any luck in creating a definition file for IPFIX? My suspicion is that there may be an error in how I created the file, but I haven’t been able to find a guide on how it should be done.

2

Welcome to the community, djames000! Glad you’re here.

I’ve split your post from aazherelyeu’s to help members find it more readily.

3

Hello,

I’d share my definitions files for both ipfix and velocloud but I can’t attach them here. Here you are an example for ipfix:

{
“enterprise_number”: 29305,
“information_elements”: [
{
“element_id”: 1,
“name”: “octetDeltaCount”,
“data_type”: “unsigned64”
},
{
“element_id”: 2,
“name”: “packetDeltaCount”,
“data_type”: “unsigned64”
},
{
“element_id”: 3,
“name”: “deltaFlowCount”,
“data_type”: “unsigned64”
},



{
“element_id”: 491,
“name”: “bgpDestinationLargeCommunityList”,
“data_type”: “basicList”
}
]
}

If you had an issue with definition files Graylog would tell you about that in graylog.log.

4

@djames000

I think this might be the problem, since Netflow plugin supports NetFlow V9 and your device is running V10. It might be something with the version not matching, but I’m not 100% sure.

5

Thanks, aazherelyeu! I misinterpreted the Graylog IPFIX manual ( IPFIX Input — Graylog 4.0.0 documentation ) and originally placed the value codes in the data_type field instead of the descriptions, so I had this:

    {
      "element_id": 880,
      "name": "tenantProtocol",
      "data_type": "1"
    },

instead of this:

{
      "element_id": 880,
      "name": "tenantProtocol",
      "data_type": "unsigned8"
    },

Making that switch cleared up my “org.graylog.integrations.ipfix.IpfixException: Missing information element definitions for private enterprise number 6876” error.

I also had another error message in graylog.log, “Unable to read information element definition file
com.fasterxml.jackson.core.JsonParseException: Unexpected character (’]’ (code 93)): expected a value”, but that was cleared up by removing an extra comma after the last elemet_id block.

Thanks, gsmith. I did try using an IPFIX UDP input, but that didn’t work until I fixed the IPFIX field definitions file.

For anyone that comes across this in the future, here is the VMWare reference I used to build my json file, and the json file itself to interpret the vSphere NetFlow messages:

{
  "enterprise_number": 6876,
  "information_elements": [
    {
      "element_id": 880,
      "name": "tenantProtocol",
      "data_type": "unsigned8"
    },
    {
      "element_id": 881,
      "name": "tenantSourceIPv4",
      "data_type": "ipv4Address"
    },
    {
      "element_id": 882,
      "name": "tenantDestIPv4",
      "data_type": "ipv4Address"
    },
    {
      "element_id": 883,
      "name": "tenantSourceIPv6",
      "data_type": "ipv6Address"
    },
    {
      "element_id": 884,
      "name": "tenantDestIPv6",
      "data_type": "ipv6Address"
    },
    {
      "element_id": 886,
      "name": "tenantSourcePort",
      "data_type": "unsigned16"
    },
    {
      "element_id": 887,
      "name": "tenantDestPort",
      "data_type": "unsigned16"
    },
    {
      "element_id": 888,
      "name": "egressInterfaceAttr",
      "data_type": "unsigned16"
    },
    {
      "element_id": 889,
      "name": "vxlanExportRole",
      "data_type": "unsigned8"
    },
    {
      "element_id": 890,
      "name": "ingressInterfaceAttr",
      "data_type": "unsigned16"
    },
  ]
}
2 Likes
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.